CISM: Domain 1 - Module 1
1h 8m

In this course, you will be introduced to domain one — the first of four domains of the Certified Information Security Management certification. We begin by introducing the Domains part of the CISM exam and introducing some security concepts before moving on to the strategy of information security governance.

Then we look at the roles, functions, and responsible parties within information security governance. Finally, we take a look at the wide range of resources that complement the human factor when implementing information security.

Learning Objectives

  • Understand the main components and requirements of the CISM Domains
  • Learn about the roles and functions for information security governance
  • Learn about the additional resources that can be used for IT security

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


This recording is the second half of the Certified Information Security Manager Certification Prep Course, Part 2 - The Four Domains. Welcome to the second part of the CISM examination prep course. This half of our course presentation covers the four domains as currently published by ISACA. This part of the course will delve into each area in depth and cover the essential points and concepts that CISM candidates must be well familiar with.

The subjects presented in each section will build on and describe further details of the areas you covered in the first half of the course on security foundations. This part is divided into five modules, each one of which will take about an hour or a little more to complete. This format should make your in-depth coverage of these topics easier by providing you several self-contained subject areas and readily explored segments. It will also help you discover areas that may require deeper exploration in order to help you gain an enhanced understanding of the given area.

The information presented here will very likely appear in some form on the CISM exam, whether as an actual question to be answered as the context for a question on one of the CISM principles, or as part of a scenario-style question. Although we cannot definitely predict which form will appear, there can be little doubt that the information presented here will be very valuable in any case. So be sure to focus on the various concepts that we're going to show to you, and make sure that you grasp them well.

Here we have a display of the four domains as currently established by ISACA. We have Domain 1: Information Security Governance, Domain 2: Information Risk Management and Compliance, Domain 3: Information Security Program Development, and Domain 4: Information Security Incident Management. So let's look at a brief introduction to the CISM itself.

In the world of cybersecurity, the most common topic discussed is that of hackers and state-sponsored bad actors, attacks to defend against, malware; in other words, the discussion topic is about how hostile the world is and how we have to defend our enterprise against those adverse forces in it.

Another topic that is discussed, albeit with somewhat less enthusiasm, is that of governance of the IT resource used by virtually every enterprise either commercial or government worldwide. In comparison to the subject of defense, governance and operations of IT is certainly a much less exciting but no less important subject.

In the world of IT security, there are certifications and practicing professionals in areas of deep technical expertise, areas that focus on compliance, the so-called "internet of things" or IoT, legal issues, and a host of others. All of these are necessary, and each of them has a relationship to every other one. This is where the CISM can bring real value. These are very different parts and they must be brought together to ensure that the business learns and acts to protect what is truly valuable to it in optimally effective ways.

The CISM is built on a foundation of technical experience and expertise, endorses its holder's experience to orchestrate an information security program that aligns with business objectives, integrates with their priorities, and aids the operation to achieve these requirements together and in an appropriate balance.

So let's begin our exploration, information security governance, and let's begin with an overview of this area. So as basic a question is this might be, we have to ask. What is information? Well, information is a product of combining multiple pieces of otherwise seemingly unrelated data. And while we need the data to have authenticity and integrity, it is the combination of these as information that actually gives the data value by rendering it applicable to some situation or business condition.

It is this information that is the asset that every business, every government, and every other kind of organization possesses as one of its greatest, if not its greatest asset. It is this asset, this information, that enables the organization to conduct its business and achieve the goals of its mission. Given that this information asset has value, it becomes the target of anyone seeking to acquire this information in order to obtain its value while depriving its owner of that same value.

Over time, this kind activity has taken place hundreds if not thousands or even 10 thousands of times. The lesson learned then is that protection of this information often is far less expensive than its loss, especially when you consider the fact that the information or its value must be recreated in addition to having to offset the loss that made this necessary. It is then the goal of the program to reduce and minimize these losses by putting in place protective measures.

In this graphic, we see that we have three basic elements. These are the primary elements of governance, including enterprise, corporate, and the security necessary to ensure well-aligned protection for them. These elements as you see in the graphic are overlapping and intersecting. They are also mutually reinforcing as you see to ensure regulatory compliance, to address risk and the management of it, and the enablement of organizational mission success.

Historically, senior management defines the objectives for the mission of the organization and sets priorities to be sought in achievement of that mission. In doing so, the protection of the assets involved in the mission pursuit must be protected from loss, theft, contamination, or corruption, or any other adverse influence that deprives the enterprise of making use of this most precious of assets. In pursuit of these goals, it is oftentimes desirable to explore and choose a framework that aligns with the type of business and its mission.

So, here we have GRC, sometimes referred to as The Trifecta. To put it another way, these three elements; governance, risk management, and compliance are the three primary elements that must be prioritized by any information security program in alignment with the business priorities.

With risk management, we must address known risks and discover the unknown risks so that we can determine acceptable levels and methods of treatment. With governance, business management exercises proper fiduciary stewardship of its operations, its resources, and its human capital in pursuit of its mission success.

With compliance, the goal of course is to achieve regulatory compliance even as we achieve these other goals. This includes information protection, as well as normal business operations, such as finance, IT management, and audit. Regardless, these efforts must be in alignment with the overall business operations and its intended objectives, whether product or service to its customers. This responsibility in large measure will fall to the holder of the position of information security to ensure that the balance between business and security of its information resources is determined, achieved, and maintained.

Now we move on to section 26, in which we are going to discuss information security governance further and look into the goal and how to achieve it. So, here we have initial assumptions. In the previous section, we discussed the ideas of knowledge and awareness. In this discussion, we explored known knowns, known unknowns, unknown knowns, and unknown unknowns.

This section, known as known unknowns, we will also call assumptions. Here we begin with our assumptions and a number of known knowns to begin analysis of the situation, develop a statement of problems and targets, and the setting of goals to be achieved by this program. As we said in the operation in the previous discussion, these assumptions are statements about things we think we know but are not certain. These must be validated by first discovering them, inserting them into our problem analysis, and validating that they are possible and probable within certain limits.

In our assumptions, we must include tangible and intangible assets, positive and negative data, historical events, and desired objectives if we are to create the proper context in which we can set our goals to be achieved by our information protection program. This will lead us to the creation of the strategy, and very likely the selection of the framework by which we can pursue success with that strategy. So of course we want to set good and appropriate goals.

As I said in the context of our plant program and its orchestration and integration into the operation is the business itself in the goals of its operational strategic plan. These goals should clearly highlight the achievements of the business that it will pursue. Part of this will mean defining various priorities. And these in turn will define for us the priorities their information protection program must emphasize to assist and enable the enterprise to achieve its objectives.

One of the things that we have learned is that the information security program elements must be considered in the context and integrated into the processes employed to achieve these objectives. Doing so will ensure proper alignment of the protective measures for these assets. The goals of the program then should be stated in business terms. For the information security measures included in these programs, these should be likewise stated to ensure that security operations understand and continue to emphasize protection in such alignment.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.